Posted by Azure Information Protection is a great tool for labelling and protecting sensitive content. In my previous blogs I showed you the end-user (functional) side of AIP as-well-as the administration side. And I want to focus on that side as-well in this blog. In this blog I will explain some of the PowerShell cmdlets you can use.
PowerShell is an administrators dream. It’s easy to use and very powerful. The AIP client is also provided with a couple of cmdlets which can make your (information protection) live a bit easier. You can use PowerShell to get a report on the label and protection status of your content. And you can also use this to classify and protect your content in bulk.
Can I use PowerShell cmdlets?
First things first. The cmdlets are provided to you with the AIP client. To use the most current version of the PowerShell cmdlets, you will need the minimum AIP client version of 1.7.210.0. And you can use PowerShell to check this as well. Open PowerShell and use this cmdlet:
(get-module azureinformationprotection -listavailable).version
If correct, PowerShell will display the current installed version. In this example, the 1.9.210 preview client.
Available cmdlets
The AIP client comes equipped with a lot of build-in cmdlets. This list is from the Microsoft website:
In this blog I will focus on two: Get-AIPFileStatus and Set-AIPFileLabel. And for this, I have a couple of documents stored locally on my workstation. Only one of these documents has been labelled and protected and that’s the “Azure Information Protection …..” one.
Let’s say I want to know if the “Burgerservicenummer.docx” file is either labelled and/or protected. To this end, I use the cmdlet Get-AIPFileStatus. This cmdlet will return all AIP information: label, RMS policy, and more. I will need to enter the filename, and this gets me:
As you can see, this cmdlet provides me with all AIP information I need.
Should the file be labelled and protected, I expect to see this.
Let’s see this in action.
These videos show you how to get the AIP information of an unlabelled and unprotected file (video 1) and a labelled file (video 2).
Multiple files
Getting the information from a single file might not be the function you are looking for. In most cases you probably need information on a collection of files. For instance, in a specific folder or a specific label. Basically, you just enter the folder you need when using the Get-AIPFileStatus cmdlet.
As a large list of files isn’t very handy, you can export this list to a comma separated file or CSV. You use this cmdlet for this:
Get-AIPFileStatus -path D:\Users\hoitinal\Documents\AIP | Export-Csv -Path C:\temp\demo2.txt
All details of the file will now be stored in a text-file, which you can open with Excel (for example).
It is also possible to add another condition to the cmdlet. For example, you want to have all information on files which have been labelled “Internal”. You use this cmdlet, which also exports the results to a test-file.
Get-AIPFileStatus -Path \\Finance\Projects\ | Where-Object {$_.MainLabelName -eq ‘Internal’} | Export-Csv C:\Reports\AIP-status.csv
These videos show you how to get the AIP information of multiple files in general (video 1) and based on the label-name (video 2).
Setting labels and/or protection
Getting information on the AIP status of files is pretty easy. But you can even use the cmdlets to automatically label and/or protect files. For example, you want to label a document with the label “Internal”. The cmdlet to use is Set-AIPFileLabel. This cmdlet requires the label-id and not the label name. So, look-up this label-id in the Azure Information Protection portal.
This is the cmdlet you use.
Set-AIPFileLabel -path D:\users\hoitinal\documents\AIP\Burgerservicenummer.docx -LabelId ba8a21f7-34b3-4230-a824-49f9a691cb35
This video shows you how to set the AIP label for a file.
Using automatic classification
You can even use PowerShell to scan the content of your files and apply the required label and protection required. This is a very powerful option. It uses the Set-AIPFileClassification cmdlet. When used, the cmdlet will scan every file in the path and apply the relevent policy based on the AIP rules.
More information
There a lot of possibilities of these cmdlets. I haven’t showed you all of them. On this Microsoft webpage you will get all the cmdlets explained. I hope this blog provided some more information.
There are many more cmdlets, mostly for administrative purposes. One thing to keep in mind when using PowerShell (and this is from Microsoft):
Note that if you didn’t run the Set-RMSServerAuthentication command, you will be authenticated to the Azure Rights Management service by using your own user account. If you are on a domain-joined computer, your current credentials will always be used automatically. If you are on a workgroup computer, you will be prompted to sign in to Azure and these credentials are then cached for subsequent commands.
Governance, Risk, Security and Compliance 
How to get the AIP Label-ID ??
Hi there,
To get the AIP label-id, go to the Azure Information Protection portal (https://portal.azure.com/#blade/Microsoft_Azure_InformationProtection) and select the label. At the bottom of the detail-screen, you’ll see the label-id. Or you can use PowerShell to get there.
Hi there,
I more concerned about the existing files in a document library. Can I use Set-AIPFileLabel in powershell to update sensitivity label?
Example : Set-AIPFileLabel -Path https://costco.sharepoint.com/sites/abc/Document%20Library/testsentity1.docx -LabelId “8f7c3de7-3464-49cd-82e6-ca3e43a814fd”.
Hi John,
I don’t think this is going to work. This cmdlet is used for content stored either on the device, netwerk-share or on-premises SharePoint. I haven’t been able to use this on SharePoint Online. You should be able to use the new data-classification at rest, but this does need some arguments for determining the right label. You cannot just label everything with a “default” label. Probably Microsoft’s working on this, but I don’t have any information on that yet. If I find a way to work around this, I will let you (and the rest) know…..
Is there a way to apply the AIP/Sensitivity labels to the files stored in Sharepoint Online directly without downloading the file. Its not feasible to download every file, apply labela nd then upload the file again
Hi there,
For this specific scenario, Microsoft released the auto-classification for data @rest functionality. This functionality allows you to scan and classify documents which are stored in either SharePoint Online or OneDrive for Business. https://alberthoitingh.com/2020/03/27/auto-labeling-data-at-rest-pt-1/
Please note that you cannot use PowerShell or the AIP Scanner to scan online repositories.
Auto-labeling does allow this, but does require an additional license.
Hope this helps.
Kind regards,
Albert
Thanks alot Mate for quick reply and this wonderful post..Appreciate the efforts!! Forgot to mention it earlier.
We have a specific requirement – documents in our Sharepoint online have metadata column which have few values associated to it. So depending upon that value, we have to apply specific sensitivity label. We have E5 so licensing is not of concern.
So I don’t know whether Auto labelling is capable of doing it or not (so far i have not able to figure it out), if it does support our scenario then we can use it but this is just a onetime activity that we want to do.
So if there is no way then we dont have any option except to download the docs, apply the label and then upload the docs as new version..let me know your thoughts on this approach ..Thanks again
Hi there Sumit,
Interesting scenario. This would have worked if we were talking about retention labels. These allow you to use content types and metadata (including those in the search index for SharePoint Online) to auto-classify the content. Unfortunately, sensitivity labels work differently and look at the content inside of documents themselves.
So you can only use sensitive information types or trainable classifiers for this. But….. both won’t be able to work with the metadata columns. Sensitive information types only work with regex, keywords (and dictionaries). And again: these will be used to look at the content inside of a document.
So I’m afraid this is not possible, at this time. You can use the Unified Labeling client with the OneDrive sync client. This way, you can just select the folder, right click, select the label and press Apply. This will result in a download/upload of documents. The modified data might change because of this, but I’m not sure about the “Modified by”. I just tested this and the “Modified by” did not change.
By the way – some time ago there was some form of work-around (https://joannecklein.com/2017/11/14/aip-labels-via-sharepoint-metadata/). But this is no longer the case. You cannot modify the sensitivity label from SharePoint Online itself I’m afraid.
Sorry about this….
I completely understand Albert and Appreciate ur quick response and for this smart solution..i will let u know if we go via this path..
Thank alot Mate for taking time from ur busy routine and help !! Cheers.
I completely understand Albert and Appreciate ur quick response and for this smart solution..i will let u know if we go via this path..
Thank alot Mate for taking time from ur busy routine and help !! Cheers.
Be warned!!!
If you attempt to automate this you may experience random crashes using PowerShell
Hi Albert,
Thank you for this information. I have thousands of files on-prem that I need to be able to use “PowerShell to scan the content of my files and apply the required label and protection required”. How do I go about doing so. Is there a script I can run to accomplish this? Thanks in advance!
Hi John,
Sorry for the late reply – I was away on holiday.
But if you need to scan files on-prem at scale, then you should you the Azure Information Protection scanner. This will provide the required functionality and does not require PowerShell.